The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.

An XCCDF Rule

Details
Profiles

Description

SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.

ID: SV-258881r935567_rule
Version: PHTN-40-000218
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Navigate to and open:

/etc/ssh/sshd_config

Ensure the "IgnoreUserKnownHosts" line is uncommented and set to the following:
IgnoreUserKnownHosts yes

At the command line, run the following command:

# systemctl restart sshd.service

The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.

Description

Remediation Templates

A Manual Procedure